Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 525 allow vpn to another company

I have a pix 525 ver 6.3(2) I have some consultants who want me to allow them to vpn out of network to their vpn concentrator 3000. (Which I have very little information about)What ports to I open to allow this?


Re: Pix 525 allow vpn to another company

Use Client Address; Check this box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses.

Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the User Management | Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen.

Re: Pix 525 allow vpn to another company

I am not sure if this command is implemented in 6.3.2

but try on CLI if it exists.

fixup protocol esp-ike

The fixup protocol esp-ike command enables PAT for Encapsulating Security Payload (ESP), single tunnel.

The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, ISAKMP cannot be turned on any interface.